d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655

Analysis

max time kernel
132s
max time network
64s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Size

219KB
MD5

127b5374bddd4454fd7030f6ff055fd0
SHA1

d460bbb2f26470b695ce468142b05f8ac45a8443
SHA256

d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655
SHA512

8d9df8c40553d072e3f64bed91caf2a64dc2d2d22b61227d766c3cddbdf7252f1c236ddb8bd5b5ebac93657fcc5d5e89928e3b50d4a0b289c3b91476c2caf1f8
SSDEEP

3072:2FawsA+HjzFmRa2MJ9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTo:2wwsXDz6izn76ppggmhOF0HFZlxZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1748	MSWDM.EXE
316	MSWDM.EXE
688	D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE
524	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
316	MSWDM.EXE
316	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
File opened for modification	C:\Windows\devE12C.tmp	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
File opened for modification	C:\Windows\devE12C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
316	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1748	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	28
PID 1728 wrote to memory of 1748	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	28
PID 1728 wrote to memory of 1748	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	28
PID 1728 wrote to memory of 1748	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	28
PID 1728 wrote to memory of 316	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	29
PID 1728 wrote to memory of 316	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	29
PID 1728 wrote to memory of 316	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	29
PID 1728 wrote to memory of 316	1728	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	29
PID 316 wrote to memory of 688	316	MSWDM.EXE	30
PID 316 wrote to memory of 688	316	MSWDM.EXE	30
PID 316 wrote to memory of 688	316	MSWDM.EXE	30
PID 316 wrote to memory of 688	316	MSWDM.EXE	30
PID 316 wrote to memory of 524	316	MSWDM.EXE	31
PID 316 wrote to memory of 524	316	MSWDM.EXE	31
PID 316 wrote to memory of 524	316	MSWDM.EXE	31
PID 316 wrote to memory of 524	316	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
"C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1748
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE12C.tmp!C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE
    3⤵
    - Executes dropped EXE
    PID:688
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE12C.tmp!C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE

Filesize
219KB

MD5
2965f3759926279de30a7621056c999c

SHA1
e417a160c16877f5b6179cffd99d4a8d7ceb3d05

SHA256
d581de0a024b4ae67108ab3e5f5261ffc1e25eeed9fc7a1cfaaa2ca0d621a70b

SHA512
508841893d454928babeb15094bb14a40b5dc05765131c77cb3355e5304ca62e02c7cf2346919b545906cd583632a87c5a71f713e1b8768a8920b2f859f01637

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE

Filesize
219KB

MD5
2965f3759926279de30a7621056c999c

SHA1
e417a160c16877f5b6179cffd99d4a8d7ceb3d05

SHA256
d581de0a024b4ae67108ab3e5f5261ffc1e25eeed9fc7a1cfaaa2ca0d621a70b

SHA512
508841893d454928babeb15094bb14a40b5dc05765131c77cb3355e5304ca62e02c7cf2346919b545906cd583632a87c5a71f713e1b8768a8920b2f859f01637

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\devE12C.tmp

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
memory/316-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/524-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/688-65-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1728-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1748-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1748-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download